The following provides questions and answers on EJBCA SaaS security. To view all questions and answers related to EJBCA SaaS, see EJBCA SaaS FAQ.


Does EJBCA SaaS enforce two-factor authentication (2FA)?

2FA is required for all engineers who have access to customer environments. 2FA is optional for customers but highly recommended.


Does EJBCA SaaS have DDoS protection?

Yes, Keyfactor uses AWS Shield and Azure DDoS protection to protect EJBCA SaaS from DDoS attacks.


Are penetration tests performed on EJBCA SaaS? And if so, how often?

Yes, penetration tests are performed on EJBCA SaaS using Qualys. The scans are performed by the EJBCA SaaS operations team on a quarterly basis.


Does EJBCA SaaS use the latest and secure versions of all dependencies and development frameworks?

Yes, Keyfactor continuously monitors and updates the versions of software used in EJBCA SaaS.


How does EJBCA protect the data in transit and at rest?

The data in EJBCA SaaS is encrypted at rest and in transit, using several strong encryption protocols, and technologies that include Transport Layer Security/Secure Sockets Layer (TLS/SSL), Internet Protocol Security (IPSec), and Advanced Encryption Standard (AES).


Is data masked in development environments? Is production data/customer data used in testing?

Customer personal information is not used in development. Customer data is strictly kept in the production environment.


Does Keyfactor perform vulnerability tests on AWS and Azure or any other third parties?

Keyfactor does not perform vulnerability tests on AWS or Azure as they are ISO 27001 and SOC 2 certified and have extremely strict SLAs.


Do cookies include any authentication credentials or PII?

The only cookie Keyfactor uses in EJBCA SaaS is a session cookie to maintain the session state. The cookie does not hold any sensitive customer PII. For more information, refer to the Keyfactor EJBCA SaaS Privacy Policy at https://www.keyfactor.com/privacy-policy/


Do authentication controls fail securely with no information being provided?

Yes, when a customer attempts to log in with incorrect credentials, by default, authentication will fail and will not provide any information as to what failed.


Are Admin accounts held the same password policy that users/customers are? Or is it a higher standard?

Administrators (Admins) are held to the same strict password policy Keyfactor has created. Additionally, Admins are required to use two-factor authentication (2FA) in order to access customer's environments. Customers, on the other hand, are not required to use 2FA.


What is the process for backing up customer data?

Customer data is set to be backed up on a daily basis to a secure relational database service offered by the cloud providers.


How long is customer data retained and archived?

EJBCA SaaS follows the retention standards set by AWS and Azure. For active customers, data is backed up daily and retained. If a customer fails to pay their bill or cancels their subscription, their account and data will be deleted in 90 days. For active customers, Keyfactor archives data for a maximum of one year.


How long is log data retained?

Log data is stored for up to a year in AWS and Azure.


Are audit logs protected from being modified?

Yes, audit logs are immutable objects that are read-only and can't be edited. Additionally, EJBCA SaaS logs are protected through the use of signed audit logs and database tampered detection and resistance.


What are the password requirements in EJBCA SaaS?

Our password requirements follow the suggestions of Open Web Application Security Project®(OWASP). Admins additionally must use 2FA to access a customer's environment.


Do you allow any unsecured port to be open in the environment?

No, the ports open in the environment are the essential ports to keep the product functioning. The ports that are open are secured and protected.


Does Keyfactor use a secure application platform build and security hardening process?

When assets are created in the EJBCA SaaS environment, a team of engineers hardens each device by disabling all but the essential features to keep the device secure while functioning effectively.


What security and vulnerabilities are considered during the development process?

Keyfactor has a secure system development lifecycle processes to design, develop, and test software in a manner free of critical and high risk vulnerabilities. All common OWASP and high risk application vulnerabilities including XSS, CSRF, SQLi, and the OWASP Top 10 are considered in the development process.